Denying Users Access to SGD After Failed Login Attempts

SGD Administrators can enable a login failure handler so that users are denied
access to SGD after three failed login attempts. See How to Enable the Login Failure Handler. This additional security measure
only works if users have their own user profile objects in the local
repository. It does not work for the default profile objects in the System
Objects organization. See for details

The number of login attempts is configurable, see How to Change the Number of Login Attempts. By default users
get three attempts. The number of login attempts is local to each SGD server
and is not copied across the array. Only when the login limit is
reached on a server, is the user denied access across the array.
For example, a user could try to log in on each SGD server
two times, but only when they fail for the third time on a
server are they denied access to the other members of the array.

If a user is denied access, they are only denied access to SGD.
They are not denied access to the host on which SGD is
installed

When a user is denied access, SGD deselects the Login check box on
the General tab (--enabled false) for the user profile object in the Administration Console.
To give a user access again, you must select the check box (--enabled true).

For security reasons, users are not given any indication that their account is
disabled. They see the same message as if they had typed an incorrect
password.

Users Cannot Log In to Any SGD Server

If all users, including the UNIX system root user, cannot log in to
any SGD server, this might be caused by either of the following:

All authentication mechanisms are disabled

User logins to all SGD servers are disabled

To check whether all authentication mechanisms are disabled, use the following command:

$ tarantella config list | grep login

If all authentication mechanisms are disabled, enable the UNIX system authentication mechanism from
the command line, as follows:

$ tarantella config edit --login-ens 1

Once the UNIX system authentication mechanism is enabled, you can log in to
the Administration Console with the user name “Administrator” and the UNIX system root
user’s password. You can then reconfigure authentication.

To check whether user logins are disabled for an SGD server, use the
following command:

$ tarantella config list --server serv... --server-login

If user logins to all SGD servers are disabled, use the following command
to enable user logins:

$ tarantella config edit --array --server-login 1

Using Shared Accounts for Guest Users

SGD enables more than one user to log in using the same
user name and password, for example to share an account for guest users.

Users that share a user profile object share the same application server passwords.
Guest users cannot add or change entries in the password cache. This means
that, unless an SGD Administrator has cached application server passwords for them, guest
users are prompted for a password every time they start an application. Use the Administration
Console or the tarantella passcache command to manage application server passwords for guest users.

How to Share a User Profile Between Users

In the Administration Console, go to the User Profiles tab.

Select the user profile that is to be shared.

The General tab is displayed.

For Login, select the Multiple check box.

Click Save.

Solaris OS Users Cannot Log in When Security is Enabled

If users with Solaris OS client devices find that they cannot log in
to an SGD server when SGD security services are enabled, check that the
/dev/random device is present on the client device.

SGD security services require the /dev/random device. If it is missing, install the
Solaris OS patch that contains this device.

An Ambiguous User Name Dialog Is Displayed When a User Tries to Log in

The Ambiguous User Name dialog is displayed only for users who share person
object attributes and also have the same password.

For example, there are two users with the name John Smith (cn=John Smith)
and they have chosen the same password. Their email addresses and user names
are different. If they log in with the name John Smith, SGD displays
the Ambiguous User Name dialog which asks them to provide either an email
address or a user name. The dialog displays because the credentials they supply
match more than one user. If they log in using an email address
or a user name, they are logged in.

The Ambiguous User Name dialog is displayed only if you are using LDAP
authentication or UNIX system authentication that searches for the user ID in the
local repository.

The solution is to ensure that users have unique passwords. Alternatively, configure the
user profiles to have unique attributes. SGD uses the Name (--name), Login Name (--user) and
Email Address (--email) to identify and disambiguate users.